Re: EFS and transparent file sharing on XP pro
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 04/30/05
- Next message: Joe Richards [MVP]: "Re: Running a software / program as a service."
- Previous message: Roger Abell: "Re: Free Download: Visio Connector for MBSA"
- In reply to: Jim: "Re: EFS and transparent file sharing on XP pro"
- Next in thread: Paul Adare: "Re: EFS and transparent file sharing on XP pro"
- Reply:(deleted message) Paul Adare: "Re: EFS and transparent file sharing on XP pro"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 29 Apr 2005 18:09:50 -0700
inlined . . .
"Jim" <nobodyhome@antispam.tv> wrote in message
news:OWYUddOTFHA.2172@tk2msftngp13.phx.gbl...
> First, thanks for your help, Roger.
>
no problem - I really do not like to see folks loosing files ;-(
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:uzWi78NTFHA.3840@tk2msftngp13.phx.gbl...
> > First, get any files encrypted with the current EFS cert back
> > in the clear, unencrypted form.
> > You may then need to use the certificates mmc snapin to
> > remove the new, soon no longer needed certificate, so, with
> > all files in the clear, export the certificate and private key to
> > a .pfx file (safely tucked away in case you forgot to decrypt
> > some file) and then remove it.
> >
> > Do not do any EFS operations until . . .
> >
> > Then, use the same interface to reset the password back to
> > what it was.
> >
> > If you are back in business, then
>
> After re-logging on, yes, I can access the old files.
>
excellent
> >
> > Use the Certificates interface to export (but not remove)
> > the now active EFS cert and private key.
>
> Does it matter what format I use?
>
pfx will have the critical private key, cer does not
> BTW, the "export personal keys" using certificates.msc/export is greyed
out.
> This implies that it is non-exportable.
>
now that is troubling
> However, if I use "cipher.exe /r:filename" it does create a .cer and .pfx
> file.
>
> Does this mean that I have the personal key safely exported? Or, should
I
> force a decrypt of all the files while I still can?
>
you could try defining a fresh account, logging into it,
and then importing the .pfx and see if you can access
an encrypted file to which the account also has NTFS
premissions
> > Keep this not on the system but on some non-degrading
> > external storage (CD). If you had had one of these we
> > could have fixed you up directly with it.
>
> No problem.
>
> > Do not forget the password of the .pfx file !!
> >
> > Next, use the User Accounts interface in control panel to
> > create a Password recovery floppy for the account.
>
> Will do.
overlooked safeguards
>
> >
> > In the future, in a non-domain environment alway _change_
> > the password, never _reset_ a password unless there is no
> > alternative. If you must reset a password, then importing
> > the previously saved EFS cert and key will be needed, as
> > well as cleaning out other certs that either are then "junk"
> > or new and potentially in the way.
>
> Thanks. I never knew that.
it has stuck a number of people with a little fright and misery
>
> I'm a little confused, however, how this works in a domain environment.
> What's the procedure in that environment for recovery?
>
In a domain there is a default recovery agent, in stand-alone there
is one in Windows 2000 Pro but not in XP Pro, where one has to
define one ahead of time.
http://support.microsoft.com/default.aspx?scid=kb;en-us;887414
Also, in a domain a reset of a password does not trigger invalidation
of access to the key store as it does in a stand-alone.
> Once again, I appreciate the help and thanks for the advice.
>
You are welcome.
The following sums up what you ran into
http://support.microsoft.com/default.aspx?scid=kb;en-us;290260
You might find interest in the following
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "Jim" <nobodyhome@antispam.tv> wrote in message
> > news:OrJKu2NTFHA.2560@TK2MSFTNGP09.phx.gbl...
> > >
> > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > > news:OyQzhiMTFHA.2548@TK2MSFTNGP14.phx.gbl...
> > > > Don't forget about it unless you really want to, as there are only
> > > > a couple of precautions you should take.
> > > >
> > > > So, this XP is not in a domain ? right?
> > > > That seems implied from some of your post.
> > > >
> > > > This just happened, maybe yesterday, and out of the blue.
> > > >
> > > > Did you recently change the password of the account ?
> > > > As the account is an admin it has two ways available to
> > > > give it a different password. One, which is available to
> > > > all accounts is to change it in the dialog that requires you
> > > > to provide the old and new passwords. The other is the
> > > > administrative reset of the password, which ask only for
> > > > the new password.
> > >
> > > Yes. The password was changed via "computer management."
> > >
> > > >
> > > > Using this last way will always break access to earlier
> > > > EFS encrypted files of that account.
> > >
> > > If I reset the PW back to the original, can I recover my files?
> > >
> > > >
> > > > After this happens, then the next attempt to encrypt a file
> > > > will cause a new EFS certificate to be generated for that
> > > > account.
> > > >
> > > > So, let us know if you did reset the password of the account
> > > > and we can guide you back, or if you did not, then we can
> > > > puzzle with you.
> > >
> > > I'm game....
> > >
> > > >
> > > >
> > > > --
> > > > Roger Abell
> > > > Microsoft MVP (Windows Security)
> > > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > > "Jim" <nobodyhome@antispam.tv> wrote in message
> > > > news:OBTnamJTFHA.616@TK2MSFTNGP12.phx.gbl...
> > > > > Pardon the cross posting, but I don't know which group this
problem
> > > > belongs
> > > > > in....
> > > > >
> > > > > Yesterday, XP pro (for a reason I can't figure out yet) added a
new
> > > > > certificate for EFS for my userid. As a result, files encrypted
> AFTER
> > > > that
> > > > > period of time can be decrypted w/o problem. However, none of my
> old
> > > > files
> > > > > can not. "access denied" is the message I get.
> > > > >
> > > > > When I view "properties" of an older file and click on "advanced,"
> and
> > > > then
> > > > > "details," I see the thumbprint of the user who can transparently
> > access
> > > > the
> > > > > file. However, when I try to add or remove/add the new new
> thumbprint
> > > > (ie.,
> > > > > to "share access"), I get error code 5.
> > > > >
> > > > > Error code 5 (says MS KB article 308991) occurs when the person
> > > attempting
> > > > > to share access is neither an administrator nor the person who
> > > originally
> > > > > encrypted the file. Well, my account is both in the administrator
> > group
> > > > AND
> > > > > is the account that encrypted the file.
> > > > >
> > > > > In addition, and I don't know if this is relevant, but when I
select
> > > "add"
> > > > > under the "Encryption Details" pane, a "Select User" pane opens up
> > with
> > > > both
> > > > > my certificates listed. However, both certificates, when opened
up
> > have
> > > a
> > > > > red "X" on the icon with the text: "This CA root certificate is
not
> > > > > trusted. To enable trust, install this certificate in the trustee
> > rood
> > > > > certification authorities store." Is this related to my problem
or
> is
> > > > this
> > > > > a domain only thing?
> > > > >
> > > > > My bottom line: I am looking for any ideas on how to add
> transparent
> > > > access
> > > > > so I can decrypt the files and get them OUT of EFS.
> > > > >
> > > > > Would using "system restore" work, stepping back to the
> > > > > day-before-yesterday?
> > > > >
> > > > > After this, beliefe me, I intend to "forgeddaboutit" as far as EFS
> is
> > > > > concerned. What a pain!
> > > > >
> > > > > Thanks in advance....
> > > > >
> > > > > Regards,
> > > > > Jim
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Joe Richards [MVP]: "Re: Running a software / program as a service."
- Previous message: Roger Abell: "Re: Free Download: Visio Connector for MBSA"
- In reply to: Jim: "Re: EFS and transparent file sharing on XP pro"
- Next in thread: Paul Adare: "Re: EFS and transparent file sharing on XP pro"
- Reply:(deleted message) Paul Adare: "Re: EFS and transparent file sharing on XP pro"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
